[Pkg-clamav-devel] Bug#774726: libmspack: CHM decompression: pointer arithmetic overflow

Jakub Wilk jwilk at debian.org
Tue Jan 6 20:18:30 UTC 2015


Package: libmspack0
Version: 0.4-2
Severity: grave
Tags: security patch
Usertags: afl

The attached patch fixes three pointer arithmetic overflows, which can 
later cause buffer over-read. (I'm not familiar with the code base, so 
please double-check the patch.)

Two sample CHM files that trigger segfaults, which are caused by the 
overflows, are also attached.

This bug does affect ClamAV.

This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl


-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages libmspack0 depends on:
ii  libc6              2.19-13
ii  multiarch-support  2.19-13

-- 
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-pointer-arithmetic-overflow.diff
Type: text/x-diff
Size: 993 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20150106/db3af59e/attachment.diff>
-------------- next part --------------
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1

owFby7M/iSe5KLE4w8TEUi85IzdkjcVrz5BgN2YGBoYEIGYE4rT5nMs4WRgYBP4y
1qyqviA4j4dhwUmlZ28E0fgg9SAgAaUroHSIAIQ+A6X/MUJoF+Vn////Z4ADoL0B
IKkQIOYCCTCBEdgN/5FUgtggMZCbsiYxxeopXhCc+xPihhCoPAwE+Lr7XOZF6APr
1QdyOPSVPV0iPFyCGBvDFzCcJxGcPUeqDkzAwGCjYWXlkliSGFyQmJyqH1ySX5aY
nqrvG+ycn1tQlFpcnJqi75yfV5KaV8KwiKGpXgdNdVFiOoMChuqi/ByQKoYsGU0G
PADTLDSbgVJ5nnlp+QxJHPpgxQkwxeEYiv8zFCXmFaflF+Xq+2QWlzDYqMUTND8E
rqXa3M3ZyMLSxEDX0sXYUNfQ0AXIcsLneGKBEJzFBCaLSxLzklNBDtMPSi1OLQlJ
TMpJZVjiYXASDgiYCEw+LwjZCkybvKS4kg9EcGKVEsCpiQO3ef9/kGI7XvDgP2E1
eMFgcssAgWoGcwY3BmcGIwYLBksGEwYDBl0g7cJgzGAIZBkyGN5zBor9hUY124C4
MTeHoYGBlaEkFZh5eRhYwGLANCwQohzse/FdN7gIZiTRTBYoTao+8gBVbAHm7vfY
hB9hin1DqbpggI0uAL8nvpPl9aEDpEhQi71UxQFWAvF0JIAmzQJn0SdFkw+kydap
gMr9h6FgPRhMXk9V0IPGlybdCFAFTxW34LdFgHIjcAE8FTpe8BlrQUQVwIJPchfn
/+e/E2/8N4kMjzQ7//44r7/YH/333y4u//Fh4++kvFtH57+518cwgYHhuf3Fs88e
ffq+58/vO7N6Ps15X5Tr/U/4vzlDBG7DHWJADTYNIIbVix6wTNeAQjEAAA==
=/A4t
-----END PGP MESSAGE-----
-------------- next part --------------
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1

owFbKyaSxJNclFicYWFgrJeckRuyxuK1Z0iwGzMDA0MCEDMCcdp8zmWcLAwMAn8Z
a1ZVXxCcx8Ow4KTSszeCaHyQehCQgNIVUDpEAEKfAdLsQPofI1SCgYnh/z0GOADa
GwCSCgFiLpCAAEgF0A3HGRj+AwFMHYgNUgdyU9Ykplg9xQuCc39C3BAClYeBAF93
n8u8CH1gvfpADoe+sqdLhIdLEGOjzwIwL8QJ6ACQonrl4JAgTz/3YMaFNYxAmeDI
4BBXX4ZGtgVVQF6If4CnM1DKRwDICQ3yAaplXJghAuGEOPkwLozh4VbIzEtJrdDL
KGEgDrAqIPMEsCt6TaRhEFCPVRQe9P8f/H9JknkoZv8nrAYMmPBLZxFnigKRYigA
OcXAAPYwwQY4iVCDI5rIUIRDlziUl5vDyNDoI2Jl5ZJYkhhckJicqu+XmJvqk1kM
TF82GsjiwSX5RYnpqfq+wc75uQVFqcXFqSn6zvl5Jal5JQyLGJo8dIhSXZSfA1LF
kCWjiamehQFFPVAqzzMvLZ8hiUOfoOEhRYl5xWn5Rbn6YNfbqMVbWRKtpdrczdnI
wtLEQNfSxdhQ19DQBchyMjLXNTBwNHC2NHS1dDZ3rtX3zCsuScxLTgWZC8rqmSS4
ihwrglKLU0tCEpNyUhmWeBiQFd8QwAgGxKvXoMAuFEAgm1ID/KbUgMiBABUDYusA
A0l8ksCYaKCTO4YEOIRgUpxHdu7csZMEwE5IwR5STKMVYCQTfGRsgLIcSdHGwMD8
glwrRwG1gTIBeWY4y5u2DqEISMMYjrQwXYBoldV0BbW4JEDtaupYsZXqYDv1jYSA
ZdgE1Whg0WliFGFNHu8YqJUksYAGwkqoD0AN04Gwl1oAVrGnU9w0oLCF7oDMwT+8
gMML6IDg8AI2aQV8bkQye8CHFxywiBEG1B1eIAqQP7zwDD68QDOggGBKoEnxMZCc
pr9B6f///3+AsK7gUMnPwAKmORQ4GLJuMVxiYDBhYjA1Zejj+6PUx67QIMApU9Ti
Y9HBzlqteHLXtcyjt3W2se+Wf1Z34VTjux0qqUL1/p8uQZyXwbCEK4D5bOL9yP3f
kutMbqpdV4/rnpXzTf9Wyqmsb+IGn/edOdR7ffX7Zk/enHQh1etiu2RPz9jv+qnt
4N833MsNv9z+cPjxpjeWCbFmfOK2nOVvcytL6yVX9a1e1nv7A++2r5XBxm/XPY9f
u4vz//PfiTf+m0SGR5qdf3/sm7/YH/333y4u//Fh4++kvFtH57+518cwgYHhuf3F
s890P33f8+f3nVk9n+a8L8r1/if8fztDBJZwgEawQwx4FBUUIAyQQYO/0GTjwQiN
jAZUjQA=
=UJt1
-----END PGP MESSAGE-----


More information about the Pkg-clamav-devel mailing list